X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/50871cf4bd151d2d271128e70a89ebf012f80779..64031e30a735969d2cfb6ad93aad87065c0e78d0:/doc/plugins/passwordauth/discussion.mdwn diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn index e5ea1b922..50e21062e 100644 --- a/doc/plugins/passwordauth/discussion.mdwn +++ b/doc/plugins/passwordauth/discussion.mdwn @@ -66,14 +66,86 @@ easiest to setup, but on the long run, I'd prefer ikiwiki to optionnally use a userdb storage backend supported at least by Apache and lighttpd. --[[intrigeri]] -Tons of CPAN modules may help, but most of them are specific to =mod_perl=, -and AFAIK, ikiwiki is generally not run with =mod_perl=. It's not clear to me -wether these modules depend on the webapp to be run with =mod_perl= set -as the script handler, or only on =mod_perl= to be installed and loaded. +Tons of CPAN modules may help, but most of them are specific to `mod_perl`, +and AFAIK, ikiwiki is generally not run with `mod_perl`. It's not clear to me +wether these modules depend on the webapp to be run with `mod_perl` set +as the script handler, or only on `mod_perl` to be installed and loaded. -* CPAN's =Apache::AuthenHook= allows to plug arbitrary Perl handlers as +* CPAN's `Apache::AuthenHook` allows to plug arbitrary Perl handlers as Apache authentication providers. -* CPAN's =Apache::Authen::Program= (=mod_perl=) +* CPAN's `Apache::Authen::Program` (`mod_perl`) * [http://www.openfusion.com.au/labs/mod_auth_tkt/](mod_auth_tkt) along with CPAN's - =Apache::AuthTkt= + `Apache::AuthTkt` --[[intrigeri]] + +I've more or less managed to implement something based on `mod_perl` and +`Apache::AuthenHook`, respectively in Debian packages `libapache2-mod-perl2` +and `libapache-authenhook-perl`. + +In the Apache VirtualHost configuration, I have added the following: + + PerlLoadModule Apache::AuthenHook + PerlModule My::IkiWikiBasicProvider + + + AuthType Basic + AuthName "wiki" + AuthBasicProvider My::IkiWikiBasicProvider + Require valid-user + ErrorDocument 401 /test/ikiwiki.cgi?do=signin + + + Satisfy any + + +The perl module lies in `/etc/apache2/My/IkiWikiBasicProvider.pm`: + + package My::IkiWikiBasicProvider; + + use warnings; + use strict; + use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED); + use Storable; + use Authen::Passphrase; + + sub userinfo_retrieve () { + my $userinfo=eval{ Storable::lock_retrieve("/var/lib/ikiwiki/test/.ikiwiki/userdb") }; + return $userinfo; + } + + sub handler { + my ($r, $user, $password) = @_; + my $field = "password"; + + if (! defined $password || ! length $password) { + return Apache2::Const::DECLINED; + } + my $userinfo = userinfo_retrieve(); + if (! length $user || ! defined $userinfo || + ! exists $userinfo->{$user} || ! ref $userinfo->{$user}) { + return Apache2::Const::DECLINED; + } + my $ret=0; + if (exists $userinfo->{$user}->{"crypt".$field}) { + error $@ if $@; + my $p = Authen::Passphrase->from_crypt($userinfo->{$user}->{"crypt".$field}); + $ret=$p->match($password); + } + elsif (exists $userinfo->{$user}->{$field}) { + $ret=$password eq $userinfo->{$user}->{$field}; + } + if ($ret) { + return Apache2::Const::OK; + } + return Apache2::Const::DECLINED; + } + + 1; + +This setup also allows people with the master password to create their own +account. + +I'm not really fluent in Perl, and all this can probably be improved (*or +might destroy your computer as it is* and YMMV). + +-- [[Lunar]]